From 56caef51e40d4494986d94175434ea89b62ca564 Mon Sep 17 00:00:00 2001
From: Aurelian Zanoschi <Aurelian.Zanoschi@freescale.com>
Date: Thu, 2 May 2013 17:29:04 +0300
Subject: dpa_offload: Added checks for dpa stats user provided params

Added extra checks for user provided params at counter creation to avoid
DPA Stats driver getting stuck.

Change-Id: Ic1cef09937217529c34d9b8dfc1c608fe93c195d
Signed-off-by: Aurelian Zanoschi <Aurelian.Zanoschi@freescale.com>
Reviewed-on: http://git.am.freescale.net:8181/2876
Tested-by: Review Code-CDREVIEW <CDREVIEW@freescale.com>
Reviewed-by: Chereji Marian-Cornel-R27762 <marian.chereji@freescale.com>
Reviewed-by: Fleming Andrew-AFLEMING <AFLEMING@freescale.com>

diff --git a/drivers/staging/fsl_dpa_offload/dpa_stats.c b/drivers/staging/fsl_dpa_offload/dpa_stats.c
index 1114035..15ccca2 100644
--- a/drivers/staging/fsl_dpa_offload/dpa_stats.c
+++ b/drivers/staging/fsl_dpa_offload/dpa_stats.c
@@ -1181,6 +1181,15 @@ static int set_cnt_eth_cb(struct dpa_stats_cnt_cb *cnt_cb,
 	if (cnt_sel == DPA_STATS_CNT_ETH_ALL)
 		cnt_sel -= 1;
 
+	if (params->eth_params.src.eth_id < DPA_STATS_ETH_1G_PORT0 ||
+	    params->eth_params.src.eth_id > DPA_STATS_ETH_10G_PORT1) {
+		log_err("Parameter src.eth_id %d must be in range (%d - %d) "
+			"for counter id %d\n", params->eth_params.src.eth_id,
+			DPA_STATS_ETH_1G_PORT0, DPA_STATS_ETH_10G_PORT1,
+			cnt_cb->id);
+		return -EINVAL;
+	}
+
 	/* Get FM MAC handle */
 	err = get_fm_mac(params->eth_params.src, &fm_mac);
 	if (err != 0) {
@@ -1231,6 +1240,12 @@ static int set_cnt_reass_cb(struct dpa_stats_cnt_cb *cnt_cb,
 		return -EINVAL;
 	}
 
+	if (!params->reass_params.reass) {
+		log_err("Parameter Reassembly handle cannot be NULL for counter"
+			" id %d\n", cnt_cb->id);
+		return -EFAULT;
+	}
+
 	cnt_cb->gen_cb.objs[0] = params->reass_params.reass;
 	cnt_cb->members_num = 1;
 
@@ -1283,6 +1298,12 @@ static int set_cnt_frag_cb(struct dpa_stats_cnt_cb *cnt_cb,
 		return -EINVAL;
 	}
 
+	if (!params->frag_params.frag) {
+		log_err("Parameter Fragmentation handle cannot be NULL for "
+			"counter id %d\n", cnt_cb->id);
+		return -EFAULT;
+	}
+
 	cnt_cb->gen_cb.objs[0] = params->frag_params.frag;
 	cnt_cb->members_num = 1;
 
@@ -1327,6 +1348,12 @@ static int set_cnt_plcr_cb(struct dpa_stats_cnt_cb *cnt_cb,
 		return -EINVAL;
 	}
 
+	if (!params->plcr_params.plcr) {
+		log_err("Parameter Policer handle cannot be NULL for counter id"
+			" %d\n", cnt_cb->id);
+		return -EFAULT;
+	}
+
 	cnt_cb->gen_cb.objs[0] = params->plcr_params.plcr;
 	cnt_cb->members_num = 1;
 
@@ -1385,6 +1412,11 @@ static int set_cnt_classif_tbl_cb(struct dpa_stats_cnt_cb *cnt_cb,
 		return -EINVAL;
 	}
 
+	if (prm.td == DPA_OFFLD_DESC_NONE) {
+		log_err("Invalid table descriptor %d for counter id %d\n",
+			prm.td, cnt_cb->id);
+		return -EINVAL;
+	}
 	err = dpa_classif_table_get_params(prm.td, &cls_tbl);
 	if (err != 0) {
 		log_err("Invalid table descriptor %d for counter id %d\n",
@@ -1457,6 +1489,12 @@ static int set_cnt_ccnode_cb(struct dpa_stats_cnt_cb *cnt_cb,
 		return -EINVAL;
 	}
 
+	if (!params->classif_node_params.cc_node) {
+		log_err("Parameter classification CC Node handle cannot be NULL"
+			" for counter id %d\n", cnt_cb->id);
+		return -EFAULT;
+	}
+
 	/* Copy the key descriptor */
 	err = copy_key_descriptor(&prm.key, &cnt_cb->ccnode_cb.keys[0]);
 	if (err != 0) {
@@ -1622,6 +1660,11 @@ static int set_cls_cnt_reass_cb(struct dpa_stats_cnt_cb *cnt_cb,
 	cnt_cb->members_num = params->class_members;
 
 	for (i = 0; i < params->class_members; i++) {
+		if (!params->reass_params.reass[i]) {
+			log_err("Parameter Reassembly handle cannot be NULL for"
+				" member %d, counter id %d\n", i, cnt_cb->id);
+			return -EFAULT;
+		}
 		cnt_cb->gen_cb.objs[i] = params->reass_params.reass[i];
 
 		/* Check the user-provided reassembly manip */
@@ -1677,6 +1720,11 @@ static int set_cls_cnt_frag_cb(struct dpa_stats_cnt_cb *cnt_cb,
 	cnt_cb->members_num = params->class_members;
 
 	for (i = 0; i < params->class_members; i++) {
+		if (!params->frag_params.frag[i]) {
+			log_err("Parameter Fragmentation handle cannot be NULL "
+				"for member %d, counter id %d\n", i, cnt_cb->id);
+			return -EFAULT;
+		}
 		cnt_cb->gen_cb.objs[i] = params->frag_params.frag[i];
 
 		/* Check the user-provided fragmentation handle */
@@ -1725,6 +1773,11 @@ static int set_cls_cnt_plcr_cb(struct dpa_stats_cnt_cb *cnt_cb,
 	cnt_cb->members_num = params->class_members;
 
 	for (i = 0; i < params->class_members; i++) {
+		if (!params->plcr_params.plcr[i]) {
+			log_err("Parameter Policer handle cannot be NULL for "
+				"member %d, counter id %d\n", i, cnt_cb->id);
+			return -EFAULT;
+		}
 		cnt_cb->gen_cb.objs[i] = params->plcr_params.plcr[i];
 		/* Check the user-provided policer handle */
 		FM_PCD_PlcrProfileGetCounter(cnt_cb->gen_cb.objs[i],
@@ -1985,6 +2038,12 @@ static int set_cls_cnt_ccnode_cb(struct dpa_stats_cnt_cb *cnt_cb,
 		return -EINVAL;
 	}
 
+	if (!params->classif_node_params.cc_node) {
+		log_err("Parameter classification CC Node handle cannot be NULL"
+			" for counter id %d\n", cnt_cb->id);
+		return -EFAULT;
+	}
+
 	cnt_cb->ccnode_cb.cc_node = prm.cc_node;
 	cnt_cb->members_num = params->class_members;
 
@@ -2750,6 +2809,11 @@ int dpa_stats_create_counter(int dpa_stats_id,
 	}
 	*dpa_stats_cnt_id = DPA_OFFLD_INVALID_OBJECT_ID;
 
+	if (!params) {
+		log_err("Parameter params cannot be NULL\n");
+		return -EFAULT;
+	}
+
 	dpa_stats = gbl_dpa_stats;
 
 	err = get_new_cnt(dpa_stats, &cnt_cb);
@@ -2901,6 +2965,11 @@ int dpa_stats_create_class_counter(int dpa_stats_id,
 	}
 	*dpa_stats_cnt_id = DPA_OFFLD_INVALID_OBJECT_ID;
 
+	if (!params) {
+		log_err("Parameter params cannot be NULL\n");
+		return -EFAULT;
+	}
+
 	if (params->class_members > DPA_STATS_MAX_NUM_OF_CLASS_MEMBERS) {
 		log_err("Parameter class_members %d exceeds maximum number of "
 			"class members: %d\n", params->class_members,
@@ -3060,6 +3129,11 @@ int dpa_stats_modify_class_counter(int dpa_stats_cnt_id,
 		return -EINVAL;
 	}
 
+	if (!params) {
+		log_err("Parameter params cannot be NULL\n");
+		return -EFAULT;
+	}
+
 	/* Counter scheduled for the retrieve mechanism can't be modified */
 	if (cnt_is_sched(dpa_stats, dpa_stats_cnt_id)) {
 		log_err("Counter id %d is in use\n", dpa_stats_cnt_id);
-- 
cgit v0.10.2